🪪

Microsoft Entra ID Administration Handbook

Identity, Access, and Hybrid Sync

By Richard Gamarra

A working reference for administering Microsoft Entra ID: how identity flows from on-premises Active Directory into the cloud, how to manage users, groups, and roles the right way, how Conditional Access actually gets enforced, and what to check first when a sign-in fails. Written for the person on call, not the marketing deck.

40
Visible reference cards
🪪 Identity 🔐 Conditional Access 👥 Users & Groups 🛡️ PIM 🔑 MFA 🔄 Hybrid Sync ⚡ PowerShell / Graph 🧭 IT Operations

🧭 Identity Architecture

Entra ID is not just "Active Directory in the cloud." It's a separate identity platform with its own object model, its own trust boundaries, and its own way of deciding whether a device counts as managed. The first thing to get right on any new environment is knowing which join state each device is actually in, because that single fact decides whether Conditional Access, Intune policy, and single sign-on will work at all.

Device join states

Join stateWhat it meansTypical deviceSSO to cloud apps
Entra joinedDevice trusts Entra ID directly, no on-prem AD account at allCloud-first laptops, new hires, Autopilot devicesNative, no extra config
Hybrid Entra joinedDevice is joined to on-prem AD, then registered to Entra ID via Entra Connect or Cloud SyncExisting domain-joined desktops in a hybrid environmentWorks, but depends on sync health
Entra registeredPersonal or unmanaged device just added an account for app access, no organizational trustBYOD phones, personal laptopsLimited, app-level only

Check any device's actual state with dsregcmd /status. Don't assume, verify. A device that shows AzureAdJoined: NO and DomainJoined: YES is domain-joined only, not hybrid, and will fail modern auth flows that expect a cloud trust.

How identity gets into the cloud

Hybrid identity sync path
On-prem ADUsers, groups, devices
Entra Connect / Cloud SyncSync agent
Entra IDCloud directory
Conditional Access, Intune, SSO

Nothing in Entra ID is authoritative for a synced object; the on-prem AD attribute always wins. Editing a synced user's properties directly in Entra ID gets silently overwritten on the next sync cycle.

ToolWhat it syncsBest fit
Entra Connect SyncFull object sync, password hash sync or pass-through auth, writebackLarger environments needing writeback (password writeback, group writeback)
Cloud Sync (lightweight agent)Same core object sync, simpler agent, multiple lightweight agents for redundancyMulti-forest environments, simpler setup, easier failover

👥 Users & Groups

Groups are how almost everything gets targeted in Entra ID: licenses, Conditional Access, Intune policy, app access. Get the group model right early, because untangling a mess of one-off manual group memberships later is one of the most tedious cleanup jobs in the job.

Group types

TypeMembershipUse for
Security group, assignedManually added membersSmall, stable teams; break-glass accounts; admin role assignment
Security group, dynamicRule-based, evaluated automaticallyDepartment, job title, or device attribute targeting at scale
Microsoft 365 groupAssigned or dynamicTeams, SharePoint, shared mailbox provisioning bundled together

Dynamic membership rule examples

🏢
By department

All users in Finance

(user.department -eq "Finance")
📋
By job title

All help desk staff

(user.jobTitle -contains "Help Desk")
💻
Devices

All Windows 11 devices

(device.deviceOSType -eq "Windows") and
(device.deviceOSVersion -startsWith "10.0.22")
🚫
Exclusion

Everyone except service accounts

(user.userType -eq "Member") and
(user.accountEnabled -eq true) and
-not (user.userPrincipalName -match "svc-")

Managing users and groups with Microsoft Graph PowerShell

🔌
Connect

Connect with the right scopes

Connect-MgGraph -Scopes "User.ReadWrite.All", "Group.ReadWrite.All", "Directory.Read.All"
Create user

New user account

New-MgUser -DisplayName "Jordan Diaz" -UserPrincipalName "jdiaz@corp.onmicrosoft.com" `
  -MailNickname "jdiaz" -AccountEnabled `
  -PasswordProfile @{ Password = "TempPass!2026"; ForceChangePasswordNextSignIn = $true }
👥
Group membership

Add a user to a group

Add-MgGroupMember -GroupId $groupId -DirectoryObjectId $userId
📄
Bulk export

Export all users to CSV for an audit

Get-MgUser -All | Select-Object DisplayName, UserPrincipalName, AccountEnabled, Department |
  Export-Csv -Path "C:\Temp\users-audit.csv" -NoTypeInformation
🎫
Licensing

Check license assignment for a user

Get-MgUserLicenseDetail -UserId $userId

Group-based licensing (assigning a license SKU to a group instead of individual users) is the recommended approach; it removes the need to touch licenses per person.

🛡️ Roles & Privileged Identity Management

Standing admin access is a liability. Privileged Identity Management (PIM) turns permanent role assignments into time-bound, justified, auditable activations, so an account only carries elevated rights for as long as the work actually takes.

Common built-in roles

RoleScopeTypical assignment
Global AdministratorFull tenant controlEligible (PIM), never permanent; break-glass accounts excluded from PIM entirely
User AdministratorCreate/manage users and groups, reset non-admin passwordsTier 2 identity team, eligible
Helpdesk AdministratorReset passwords for non-admin users, limited scopeTier 1 support, can be permanent for a small, monitored team
Conditional Access AdministratorManage Conditional Access policies onlySecurity team, eligible
Intune AdministratorFull Intune managementEndpoint team, eligible

PIM activation flow

Eligible role to active role
Eligible assignmentNo standing access
↓ user requests activation
Justification + MFA challenge
↓ approved (auto or by approver)
Active, time-boundTypically 1-8 hours
↓ expires automatically
Back to eligible, no standing access

Least privilege checklist

Assignment hygiene

Before assigning any admin role

  • Is there a narrower built-in role that covers the actual task?
  • Can this be eligible instead of permanent?
  • Does the role need a time-bound assignment (start/end date) instead of indefinite?
  • Is approval required for activation, or is self-service justification enough?
🔍
Auditing

Review cadence

Run PIM access reviews quarterly for Global Administrator and other high-impact roles. Anyone who hasn't activated the role in 90 days is a candidate for removal.

PowerShell: viewing and activating roles

📋
List assignments

See who holds a given role

Get-MgRoleManagementDirectoryRoleAssignment -Filter "roleDefinitionId eq '$roleId'"
⏱️
Activate

Self-activate an eligible role via Graph

New-MgRoleManagementDirectoryRoleAssignmentScheduleRequest -Action "selfActivate" `
  -PrincipalId $userId -RoleDefinitionId $roleId `
  -DirectoryScopeId "/" -Justification "Investigating sign-in failure ticket #4521" `
  -ScheduleInfo @{ StartDateTime = (Get-Date); Expiration = @{ Type = "AfterDuration"; Duration = "PT4H" } }

🔐 Conditional Access

Conditional Access is the enforcement layer that turns "we have a policy" into "the sign-in actually gets blocked or challenged." Every policy is built from the same four building blocks, and almost every troubleshooting question comes down to which one of those four is not doing what you expect.

Anatomy of a Conditional Access policy
AssignmentsWho, which apps, which conditions
Grant controlsRequire MFA, compliant device, etc.
Session controlsSign-in frequency, app-enforced restrictions

Common policy templates

PolicyAssignmentGrant control
Require MFA for all usersAll users, all cloud appsRequire multifactor authentication
Block legacy authenticationAll users, condition: client apps = legacy auth clientsBlock access
Require compliant deviceAll users, all cloud appsRequire device to be marked compliant
Require MFA for admin rolesDirectory role assignment (Global Admin, etc.), all cloud appsRequire multifactor authentication, no exceptions
Block by locationAll users, condition: named location not in trusted listBlock access

Safe rollout of a new policy

1️⃣
Step 1

Create in Report-only mode

Never flip a new policy straight to On. Report-only logs what would have happened without actually blocking anyone.

2️⃣
Step 2

Review sign-in logs for 3 to 7 days

Entra ID sign-in logs have a Conditional Access tab showing exactly which policies would apply and their simulated result per sign-in.

3️⃣
Step 3

Scope to a pilot group first

Even after Report-only review, switch On for a small pilot group before applying to All users.

🆘
Safety net

Always exclude break-glass accounts

Every Conditional Access policy should exclude at least two emergency access accounts, stored offline, monitored for any sign-in activity.

A misconfigured CA policy with no exclusion has locked entire tenants out before. Test carefully.

PowerShell: creating a policy

New-MgIdentityConditionalAccessPolicy -DisplayName "Require MFA - All Users" `
  -State "enabledForReportingButNotEnforced" `
  -Conditions @{ Applications = @{ IncludeApplications = @("All") }; Users = @{ IncludeUsers = @("All"); ExcludeUsers = @($breakGlassId) } } `
  -GrantControls @{ Operator = "OR"; BuiltInControls = @("mfa") }

🔑 Authentication Methods & MFA

Not all MFA methods are equal, and the strongest available method should be the default, not the fallback. Set the direction here, then use Authentication Strengths inside Conditional Access to require a stronger method for the sensitive stuff.

Authentication methods compared

MethodStrengthBest for
FIDO2 security keyPhishing-resistantAdmin roles, high-value targets
Certificate-based authenticationPhishing-resistantEnvironments already running smart cards or PKI
Microsoft Authenticator, push notificationStrong, but vulnerable to prompt-bombing without number matchingGeneral workforce, enable number matching
Temporary Access PassTime-limited, single or limited useOnboarding new hires, passwordless bootstrap, account recovery
SMS or voice callWeakest, vulnerable to SIM swapLast resort only, plan to retire

Self-service password reset (SSPR)

🔁
Setup checklist

Before turning SSPR on for everyone

  • Require at least two authentication methods for reset (not just one).
  • Combine the registration experience with MFA registration, one prompt instead of two.
  • Set a registration campaign with a deadline, not an open-ended nag.
  • Enable password writeback if hybrid, so a cloud reset also updates on-prem AD.
🎯
Authentication strengths

Requiring phishing-resistant MFA for admins

Create a custom Authentication Strength containing only FIDO2 and certificate-based auth, then reference it in the admin Conditional Access policy's grant control instead of the generic "require MFA" control.

🔄 Hybrid Identity & Sync

Most sign-in problems in a hybrid environment trace back to sync, not to Entra ID itself. Knowing the sync cycle and where to look for failures saves hours of chasing the wrong layer.

Entra Connect sync cycle
On-prem AD change
Delta syncEvery 30 min by default
Entra ID updated

A full sync scans every object and is much slower; run it only after a schema change or config fix, not routinely.

Common sync problems

SymptomLikely causeFix
User exists on-prem but not in Entra IDObject is outside the configured OU sync scope, or filtered by an attribute-based sync ruleCheck Entra Connect's OU filtering in the sync configuration
Duplicate attribute value errorTwo on-prem objects share the same UPN or proxyAddressFind and fix the duplicate in on-prem AD, the sync engine will not resolve it for you
Object in quarantineSync connector hit repeated errors for that objectReview the specific error in Entra Connect Health, fix the source attribute
Password changes not reflecting in cloudPassword Hash Sync cycle delay (usually under 2 minutes) or the sync service is stoppedCheck the Entra Connect sync scheduler service is running

PowerShell on the sync server

🔄
Force sync

Trigger an immediate delta sync

Start-ADSyncSyncCycle -PolicyType Delta
📊
Health check

Check the last run's status

Get-ADSyncConnectorRunStatus
Get-ADSyncScheduler
🔍
Find errors

Review sync errors in the console

Open Synchronization Service Manager on the Entra Connect server, check the Operations tab for the latest run, and drill into any object with an error status.

⚡ PowerShell / Graph Quick Fixes

Fast commands for the moment something in identity is broken and someone is waiting.

🔓
Unlock / re-enable

Re-enable a blocked account

Update-MgUser -UserId $userId -AccountEnabled:$true
🔁
Force sign-out

Revoke all active sessions for a user

Revoke-MgUserSignInSession -UserId $userId

Use this after a suspected account compromise, it invalidates refresh tokens tenant-wide for that user.

🔑
MFA reset

Remove a user's registered authentication methods

Get-MgUserAuthenticationMethod -UserId $userId
Remove-MgUserAuthenticationMethod -UserId $userId -AuthenticationMethodId $methodId
📜
Sign-in logs

Pull recent failed sign-ins for a user

Get-MgAuditLogSignIn -Filter "userPrincipalName eq '$upn' and status/errorCode ne 0" -Top 20
🎫
License check

Find users missing an expected license

Get-MgUser -All | Where-Object { -not (Get-MgUserLicenseDetail -UserId $_.Id) } |
  Select-Object DisplayName, UserPrincipalName
🧭
Join state

Confirm a workstation's identity state locally

dsregcmd /status
🗑️
Stale devices

Find devices that haven't checked in for 90 days

Get-MgDevice -All | Where-Object { $_.ApproximateLastSignInDateTime -lt (Get-Date).AddDays(-90) } |
  Select-Object DisplayName, ApproximateLastSignInDateTime

🧯 Troubleshooting: Sign-in Errors (AADSTS Codes)

The Entra ID sign-in logs report a specific AADSTS code for every failure. Learn the common ones and you skip most of the guesswork.

CodeMeaningFix
AADSTS50126Invalid username or passwordConfirm the account isn't locked and the password wasn't recently changed elsewhere (hybrid password writeback delay)
AADSTS50076MFA is required but wasn't satisfied for this sign-inHave the user complete MFA registration or re-authenticate through the MFA prompt
AADSTS53003Access blocked by a Conditional Access policyCheck the sign-in log's Conditional Access tab to see exactly which policy fired and why
AADSTS50079User needs to register for MFA before continuingDirect the user to the registration portal, or extend a Temporary Access Pass
AADSTS700016Application not found in this tenant's directoryVerify the app registration exists and the tenant ID in the request matches
AADSTS90072User's home tenant doesn't match the tenant being signed into (guest/B2B scenario)Confirm the correct tenant URL is being used, or that guest invitation redemption completed
AADSTS50034The user account doesn't exist in this directoryCheck for typos in UPN, or confirm the sync hasn't failed for that object
AADSTS165000Generic backend service error, often transientRetry; if persistent, check Entra ID service health for an active incident

General troubleshooting order

1️⃣
First

Check Entra ID service health

Rule out a tenant-wide incident before digging into one user's account.

2️⃣
Second

Pull the exact sign-in log entry

The AADSTS code and the Conditional Access evaluation detail are both on that one log entry; don't guess from the user's description alone.

3️⃣
Third

Confirm sync health if the account is hybrid

A stale or quarantined sync object explains a surprising number of "the account should work" tickets.